---
title: Globals Access Control
label: Globals
order: 30
desc: Global-level Access Control is specified within each Global's `access` property and allows you to define which users can read or update Globals.
keywords: globals, access control, permissions, documentation, Content Management System, cms, headless, javascript, node, react, nextjs
---

Global Access Control is [Access Control](../overview) used to restrict access to [Global](../globals/overview) Documents, as well as what they can and cannot see within the [Admin Panel](../admin/overview) as it relates to that Global.

To add Access Control to a Global, use the `access` property in your [Global Config](../configuration/globals):

```ts
import type { GlobalConfig } from 'payload';

export const GlobalWithAccessControl: GlobalConfig = {
  // ...
  access: { // highlight-line
    // ...
  },
}
```

## Config Options

Access Control is specific to the operation of the request.

To add Access Control to a [Global](../configuration/globals), use the `access` property in the [Global Config](../globals/overview):

```ts
import { GlobalConfig } from 'payload'

const GlobalWithAccessControl: GlobalConfig = {
  // ...
  // highlight-start
  access: {
    read: ({ req: { user } }) => {...},
    update: ({ req: { user } }) => {...},

    // Version-enabled Globals only
    readVersion: () => {...},
  },
  // highlight-end
}

export default Header
```

The following options are available:

| Function                | Allows/Denies Access                   |
| ----------------------- | -------------------------------------- |
| **`read`**     | Used in the `findOne` Global operation. [More details](#read). |
| **`update`** | Used in the `update` Global operation. [More details](#update). |

If a Global supports [Versions](../versions/overview), the following additional options are available:

| Function           | Allows/Denies Access                                                                                                   |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------- |
| **`readVersions`** | Used to control who can read versions, and who can't. Will automatically restrict the Admin UI version viewing access. [More details](#read-versions). |

### Read

Returns a boolean result or optionally a [query constraint](../queries/overview) which limits who can read this global based on its current properties.

To add read Access Control to a [Global](../configuration/globals), use the `read` property in the [Global Config](../globals/overview):

```ts
import { GlobalConfig } from 'payload'

const Header: GlobalConfig = {
  // ...
  // highlight-start
  read: {
    read: ({ req: { user } }) => {
      return Boolean(user)
    },
  }
  // highlight-end
}
```

The following arguments are provided to the `read` function:

| Option    | Description                                                                |
| --------- | -------------------------------------------------------------------------- |
| **`req`** | The [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) object containing the currently authenticated `user`. |

### Update

Returns a boolean result or optionally a [query constraint](../queries/overview) which limits who can update this global based on its current properties.

To add update Access Control to a [Global](../configuration/globals), use the `access` property in the [Global Config](../globals/overview):

```ts
import { GlobalConfig } from 'payload'

const Header: GlobalConfig = {
  // ...
  // highlight-start
  access: {
    update: ({ req: { user }, data }) => {
      return Boolean(user)
    },
  }
  // highlight-end
}
```

The following arguments are provided to the `update` function:

| Option     | Description                                                                |
| ---------- | -------------------------------------------------------------------------- |
| **`req`**  | The [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) object containing the currently authenticated `user`. |
| **`data`** | The data passed to update the global with.                                 |

### Read Versions

If the Global has [Versions](../versions/overview) enabled, the `readVersions` Access Control function determines whether or not the currently logged in user can access the version history of a Document.

To add Read Versions Access Control to a Collection, use the `readVersions` property in the [Global Config](../globals/overview):

```ts
import type { GlobalConfig } from 'payload'

export const GlobalWithVersionsAccess: GlobalConfig = {
  // ...
  access: {
    // highlight-start
    readVersions: ({ req: { user }}) => {
      return Boolean(user)
    },
    // highlight-end
  },
}
```

The following arguments are provided to the `readVersions` function:

| Option    | Description                                                                |
| --------- | -------------------------------------------------------------------------- |
| **`req`** | The [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) object containing the currently authenticated `user`. |
